{"id":259,"date":"2025-02-10T00:00:00","date_gmt":"2025-02-09T23:00:00","guid":{"rendered":"https:\/\/kosokoking.com\/?p=259"},"modified":"2025-02-05T15:03:16","modified_gmt":"2025-02-05T14:03:16","slug":"petitpotam-ntlm-relay-attack-mitigation-guide","status":"publish","type":"post","link":"https:\/\/kosokoking.com\/index.php\/security\/petitpotam-ntlm-relay-attack-mitigation-guide\/","title":{"rendered":"PetitPotam NTLM Relay Attack: Mitigation Guide"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Imagine a cyberattack so insidious that it requires no credentials, no insider access, and yet can compromise an entire Windows domain. <strong>PetitPotam is<\/strong> a sophisticated NTLM relay attack. This guide dives deep into the mechanics of <a href=\"https:\/\/github.com\/topotam\/PetitPotam\" target=\"_blank\" rel=\"noopener\" title=\"\">PetitPotam<\/a>, its implications for Active Directory security, and the best practices for mitigation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Understanding PetitPotam<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">PetitPotam is a\u00a0<strong><a href=\"https:\/\/www.howtogeek.com\/668989\/what-is-a-man-in-the-middle-attack\/\" target=\"_blank\" rel=\"noopener\" title=\"\">man-in-the-middle (MitM)<\/a><\/strong>\u00a0attack that exploits Microsoft\u2019s NTLM authentication protocol. Discovered by security researcher Lionel Gilles (aka <a href=\"https:\/\/github.com\/topotam\/\" target=\"_blank\" rel=\"noopener\" title=\"\">Topotam<\/a>), this attack leverages a legitimate Windows API called the\u00a0<strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-efsr\/4892c610-4595-4fba-a67f-a2d26b9b6dcd\" target=\"_blank\" rel=\"noopener\" title=\"\">Microsoft Encrypting File System Remote Protocol (MS-EFSRPC)<\/a><\/strong>\u00a0to force a target server to authenticate to a malicious NTLM relay controlled by an attacker.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How Does It Work?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">To appreciate the mechanics of PetitPotam, it\u2019s important to first understand NTLM authentication and its vulnerabilities:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>NTLM Overview<\/strong>:\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/kerberos\/ntlm-overview\" target=\"_blank\" rel=\"noopener\" title=\"\">NTLM (NT LAN Manager)<\/a> is an authentication protocol used in Windows environments for legacy compatibility. Despite being largely replaced by <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/kerberos\/kerberos-authentication-overview\" target=\"_blank\" rel=\"noopener\" title=\"\">Kerberos<\/a>, NTLM remains widely deployed due to backward compatibility requirements.<\/li>\n\n\n\n<li>NTLM relies on challenge-response mechanisms to authenticate users without transmitting passwords in plaintext. However, this process is susceptible to relay attacks.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>PetitPotam\u2019s Innovation<\/strong>:\n<ul class=\"wp-block-list\">\n<li>PetitPotam specifically abuses the\u00a0EfsRpcOpenFileRaw\u00a0function within MS-EFSRPC. This function is designed to enable remote file access for encrypting file systems.<\/li>\n\n\n\n<li>By sending crafted requests to a target server, an attacker can coerce it into initiating NTLM authentication with a server under their control.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Relaying Credentials<\/strong>:\n<ul class=\"wp-block-list\">\n<li>Once the attacker intercepts the NTLM authentication request, they relay it to another service that accepts NTLM authentication, most commonly <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-cs\/active-directory-certificate-services-overview\" target=\"_blank\" rel=\"noopener\" title=\"\">Active Directory Certificate Services (AD CS)<\/a>.<\/li>\n\n\n\n<li>AD CS allows attackers to request certificates impersonating privileged accounts, such as domain controllers.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Domain Compromise<\/strong>:\n<ul class=\"wp-block-list\">\n<li>With the certificate obtained via AD CS, attackers can generate Kerberos Ticket Granting Tickets (TGT). These tickets effectively grant them full control over the domain.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Why Is This Dangerous?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">What makes PetitPotam particularly alarming is its ability to bypass traditional security measures:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>No Credentials Required<\/strong>: Unlike many attacks that rely on stolen credentials or phishing, PetitPotam works without prior access.<\/li>\n\n\n\n<li><strong>Exploits Default Configurations<\/strong>: Many organisations deploy AD CS with default settings that are vulnerable to this attack.<\/li>\n\n\n\n<li><strong>Enables Full Domain Takeover<\/strong>: Once successful, attackers can impersonate any user or service in the domain.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Why PetitPotam Matters<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">PetitPotam isn\u2019t just another vulnerability, rather, it\u2019s a case study in how attackers exploit legacy protocols and misconfigurations to devastating effect. To understand its significance, we need to place it in the broader context of Active Directory security and NTLM relay attacks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Problem with NTLM<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">NTLM has long been criticised for its inherent vulnerabilities:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Lack of Mutual Authentication<\/strong>: Unlike Kerberos, NTLM doesn\u2019t verify both parties in a communication session. This makes it susceptible to MitM attacks.<\/li>\n\n\n\n<li><strong>Weak Cryptography<\/strong>: The cryptographic algorithms used in NTLM are outdated and vulnerable to brute force attacks.<\/li>\n\n\n\n<li><strong>Legacy Dependencies<\/strong>: Despite its flaws, NTLM remains widely used because many enterprise applications and systems still depend on it.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Active Directory Certificate Services (AD CS)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">AD CS plays a critical role in Windows environments by enabling Public Key Infrastructure (PKI). However, its complexity often leads to misconfigurations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Web Enrolment Vulnerabilities<\/strong>: The Web Enrolment feature of AD CS is particularly prone to abuse because it allows users to request certificates via HTTP or HTTPS.<\/li>\n\n\n\n<li><strong>Default Permissions<\/strong>: Many AD CS deployments use default permissions that grant excessive access rights.<\/li>\n\n\n\n<li><strong>Lack of Awareness<\/strong>: Administrators often overlook AD CS when securing their Active Directory environments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">A Perfect Storm<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">PetitPotam exploits the intersection of these issues\u2014legacy protocols like NTLM, misconfigured AD CS deployments, and insufficient monitoring\u2014to devastating effect. It\u2019s a wake-up call for organisations that have neglected these areas of their security posture.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Anatomy of an Attack<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To fully grasp the implications of PetitPotam, let\u2019s walk through a hypothetical attack scenario:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Reconnaissance<\/strong>:\n<ul class=\"wp-block-list\">\n<li>The attacker scans the network for servers running AD CS with Web enrolment enabled.<\/li>\n\n\n\n<li>Tools like Nmap or custom scripts can identify these targets based on open ports and service banners.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Triggering MS-EFSRPC<\/strong>:\n<ul class=\"wp-block-list\">\n<li>Using publicly available proof-of-concept (PoC) tools like PetitPotam.py, the attacker sends crafted MS-EFSRPC requests to a domain controller or other target server.<\/li>\n\n\n\n<li>These requests force the server to authenticate via NTLM.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Relaying Credentials<\/strong>:\n<ul class=\"wp-block-list\">\n<li>The intercepted NTLM credentials are relayed to an AD CS Web enrolment endpoint using tools like <a href=\"https:\/\/github.com\/fortra\/impacket\/blob\/master\/examples\/ntlmrelayx.py\" target=\"_blank\" rel=\"noopener\" title=\"\">ntlmrelayx <\/a>from <a href=\"https:\/\/github.com\/fortra\/impacket\/tree\/master\" target=\"_blank\" rel=\"noopener\" title=\"\">Impacket<\/a>.<\/li>\n\n\n\n<li>The attacker authenticates as the coerced server or user account.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Certificate Request<\/strong>:\n<ul class=\"wp-block-list\">\n<li>The attacker requests a certificate impersonating a privileged account, such as a domain controller.<\/li>\n\n\n\n<li>This certificate can then be used to forge Kerberos TGTs.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Domain Control<\/strong>:\n<ul class=\"wp-block-list\">\n<li>With Kerberos TGTs in hand, the attacker gains unrestricted access to domain resources.<\/li>\n\n\n\n<li>They can create new accounts, modify group memberships, or deploy ransomware across the network.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Detecting PetitPotam Exploitation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Detecting PetitPotam attacks requires vigilance and robust monitoring:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Network Traffic Analysis<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor traffic on port 445 (used by <a href=\"https:\/\/learn.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-lsad\/64ea7ac4-32ef-44f6-ab51-ea2b5a1c2390\" target=\"_blank\" rel=\"noopener\" title=\"\">LSARPC<\/a>) for unusual activity.<\/li>\n\n\n\n<li>Look for connections from unexpected IP addresses or devices attempting to access AD CS Web enrolment endpoints.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Event Logs<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Windows Event Viewer can provide valuable clues:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check for unexpected NTLM authentication attempts.<\/li>\n\n\n\n<li>Look for certificate requests originating from suspicious sources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Intrusion Detection Systems (IDS)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Configure IDS solutions like Snort or Suricata to flag anomalous use of MS-EFSRPC functions or unusual certificate requests.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Behavioural Analytics<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Advanced security solutions that use machine learning can detect deviations from normal behaviour patterns:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sudden spikes in certificate requests.<\/li>\n\n\n\n<li>Unusual account activity following an NTLM authentication event.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Mitigation Strategies<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The good news is that organisations can protect themselves against PetitPotam with proactive measures:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Disable NTLM Authentication<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The most effective defence against PetitPotam is disabling NTLM wherever possible:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use Group Policy settings (Network Security: Restrict NTLM) to block NTLM traffic on domain controllers and AD CS servers.<\/li>\n\n\n\n<li>Transition legacy applications and systems to Kerberos or other modern authentication protocols.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2. Harden AD CS Configuration<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If disabling NTLM isn\u2019t feasible due to legacy dependencies:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce Extended Protection for Authentication (EPA) on AD CS Web enrolment services.<\/li>\n\n\n\n<li>Require HTTPS with strong encryption for all AD CS Communications.<\/li>\n\n\n\n<li>Use Group Managed Service Accounts (gMSAs) with Kerberos-only delegation settings.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. Apply Microsoft Patches<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft has released updates addressing some aspects of PetitPotam exploitation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Regularly apply security updates for Windows Server and related components.<\/li>\n\n\n\n<li>Follow Microsoft\u2019s official guidance for securing AD CS against relay attacks.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4. Network Segmentation<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Restrict access to critical systems like domain controllers and AD CS servers using firewalls and VLANs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Limit access based on least privilege principles.<\/li>\n\n\n\n<li>Use jump servers or bastion hosts for administrative access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5. Monitor and Audit<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Conduct regular audits of your Active Directory environment:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identify servers with AD CS Web enrolment enabled.<\/li>\n\n\n\n<li>Review service accounts and delegation settings for potential abuse vectors.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Tools for Defence<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Several tools can help detect and mitigate PetitPotam:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Microsoft\u2019s Mitigation Guidance<\/strong><br>Follow Microsoft\u2019s official recommendations for securing AD CS against NTLM relay attacks.<\/li>\n\n\n\n<li><strong>Endpoint Detection and Response (EDR) Solutions<\/strong><br>Deploy EDR tools capable of identifying anomalous behaviour associated with PetitPotam exploitation.<\/li>\n\n\n\n<li><strong>Custom Scripts<\/strong><br>Use PowerShell scripts or third-party tools like PingCastle to scan your network for vulnerable configurations.<\/li>\n\n\n\n<li><strong>Threat Intelligence Feeds<\/strong><br>Subscribe to threat intelligence services that provide real-time updates on emerging threats like PetitPotam.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Lessons Learned<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">PetitPotam serves as a stark reminder of why organisations must adopt a proactive approach to cybersecurity:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Legacy Protocols Are Risky<\/strong><br>Despite their ubiquity, protocols like NTLM are inherently insecure and should be phased out wherever possible.<\/li>\n\n\n\n<li><strong>Default Settings Are Dangerous<\/strong><br>Many vulnerabilities arise from misconfigured or default settings in enterprise environments; PetitPotam is no exception.<\/li>\n\n\n\n<li><strong>Awareness Is Key<\/strong><br>Educating IT staff about emerging threats like PetitPotam is crucial for timely detection and response.<\/li>\n\n\n\n<li><strong>Defence-in-Depth Is Essential<\/strong><br>Relying on a single layer of defence is never enough, organisations must implement multiple overlapping security measures.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In today\u2019s rapidly evolving threat landscape, PetitPotam stands out as both a warning and an opportunity. A warning about the dangers of complacency but also an opportunity to strengthen defences against similar exploits. By understanding its mechanics, detecting its signs, and implementing robust mitigations, you can fortify your defences against this potent attack vector.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cybersecurity isn\u2019t just about reacting, it\u2019s about anticipating what\u2019s next. As attackers continue refining their methods, staying informed is not just an option, rather, it\u2019s a necessity. Stay vigilant, stay secure!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For more insightful and engaging write-ups, visit <a href=\"https:\/\/kosokoking.com\/\" target=\"_blank\" rel=\"noopener\" title=\"\">kosokoking.com<\/a> and stay ahead in the world of cybersecurity!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn how to detect and mitigate PetitPotam NTLM relay attacks. Protect your Active Directory with actionable steps for enhanced cybersecurity.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[201,278,177,282,281,280,277,276,275,279],"class_list":["post-259","post","type-post","status-publish","format-standard","hentry","category-security","tag-active-directory-security","tag-ad-cs-mitigation","tag-cybersecurity-best-practices","tag-domain-controller-protection","tag-microsoft-security-updates","tag-network-security-threats","tag-ntlm-authentication-vulnerability","tag-ntlm-relay-attack","tag-petitpotam","tag-windows-server-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/259","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/comments?post=259"}],"version-history":[{"count":1,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/259\/revisions"}],"predecessor-version":[{"id":260,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/259\/revisions\/260"}],"wp:attachment":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/media?parent=259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/categories?post=259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/tags?post=259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}